On Wed, 15 Apr 1998, Pete Ashdown wrote:
Are we really concerned about being smurfed by a /30, or even a /27?
We should be concerned about receiving pings floods from two single addresses? The the IP size of the network also figures into the nature of the attack. Smurfing is made easier by large subnets without directed-broadcast turned off. It is a lot more work to get the same results from networks smaller than a /27.
Sorry, I should have been more clear. I took that earlier statement to mean that we shouldn't be concerned about amplification networks smaller than /24. I felt that was implied by the discussion about filtering addresses ending in .255. The point I was trying to make is that I have many networks with masks longer than /24 (the majority of which are shorter than /27) that would make very effective smurf amplifiers if I didn't have directed broadcasts turned off. In my experience I've found that many networks use /24's, not because they necessarily need 254 hosts on that network, but because it's convienent since the network/host number falls on an octet boundry. Most of these networks I've seen have significantly less than 254 hosts on them. My networks with longer masks are much denser than what I've seen is the average /24, and therefore possibly more dangerous as amplifiers. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Chief Network Engineer MindSpring Enterprises, Inc info@mindspring.com Mosher's Law of Software Engineering: Don't worry if it doesn't work right. If everything did, you'd be out of a job.